Authentic8 Blog Category: Security

Interview: HTTPS Interception, TLS Fingerprinting, and the Browser

Use HTTPS, they said. Make sure your browsers shows that green padlock, they said. You’ll be safe, nobody can eavesdrop, they said.

IT security teams and threat hunters, who are familiar with the inherent security weakness of the web’s underlying protocols, know better.

The problem with HTTPS internet connections is similar to the problem with VPN. Or, as Larry Loeb put it in his post HTTPS: Beware the False Sense of Security on this blog: “[U]sers think that it does more than it actually does.”

For starters, a basic HTTPS connection gets established when the browser (client) connects directly to an origin server to send requests and download content protected by TLS-based  encryption. Still, this communication is vulnerable to interception.

The reason is simple. Often, the browser doesn’t connect directly with the web server serving the website. Instead, data gets routed through a proxy or middlebox, a.k.a. "monster-in-the-middle" (MITM). HTTPS interception, for benign or malign reasons,

Interview: James Kettle Explains HTTP Desync Attacks (In Under 3 Minutes)

$70k - how's that for a bug bounty total netted from an almost forgotten web exploit?

At Black Hat USA 2019 in Las Vegas, James Kettle of Portswigger Web Security demonstrated how he pulled it off. The security researcher used an old (by internet standards) technique called HTTP Request Smuggling, which was first documented back in 2005.

It still works. Kettle's exploit schemes, dubbed Desync Attacks, leverage the HTTP protocol support for sending multiple HTTP  requests over a single underlying TCP or SSL/TLS socket.

HTTP requests are traditionally understood as isolated entities that are placed back to back. In his presentation of request smuggling attacks for cybersecurity researchers, Kettle showed how he was able to overcome this compartmentalization.

The British threat hunter's approach enabled him to splice requests into others, as he said, to "gain maximum privilege  access to internal APIs, poison web caches, and compromise what's possibly your most trusted login page."

How did he do it? And what does

Do You Have What It Takes to Prevent Ransomware?

Malicious software has nearly always been a factor to consider when it comes to managing the IT environment. Have we learned the right lessons?

*

I remember going on calls to a credit card company early in my career, as a then-time field engineer, to diagnose issues that had cropped up on several Dell PCs.

Back in 1991, these were basic PCs with floppy drive systems and 10MB hard disk drives - state-of-the-art desktops at the time, monochrome screens and all.

After some analysis, we concluded that the systems were infected with a virus, a rare occurrence at the time. The Michelangelo virus was just days away from executing, and our options to remove it were limited.

Only two vendors existed to clean malware, and the software had to be downloaded using a 1200 baud modem from a bulletin board. Usually, one vendor or the other would detect and remove the small number of malware samples in the wild at the time. Thankfully,

How to Secure Your Content Management System (CMS)

By Derek Handova

Content management systems present attractive targets for cybercriminals and state-sponsored adversaries. E-commerce sites, investor relations pages, and HR portals are just three examples where CMS vulnerabilities can cause severe reputational and financial harm.

The CMS offers multiple attack surfaces for targeting commercial or public sector entities. How can IT, administrators, creative personnel, and developers ensure CMS security?

*

In 2018 alone, more than 18 million CMS users suffered security breaches. 73.2 percent of well-known websites managed with WordPress, the most widely used CMS, contained vulnerabilities exploitable through common attacks.

Which security approaches would effectively protect CMS owners, their network, their business, and their customers? To answer this question, we have to confront the issue that many data breach vulnerabilities lie within the surface layer of the websites themselves.

There, threat actors can insert malicious code without website owners even knowing about it. For example, RiskIQ recently reported that JavaScript vulnerabilities in CloudCMS and Picreel web service scripts allowed the

Green Padlocks, Gray Padlocks - Does Anyone Really Care?

At the BlackHat conference in Las Vegas earlier this month, I had a chance to chat with Troy Hunt (creator of haveibeenpwned.com) and Scott Helme (founder of report-uri.com) about the protracted death of Extended Validation (EV) certificates.

We also talked about the fallacy of expecting users to make sense of how browsers interpret SSL/TLS certificates and about browser security in general.

What good do "security aesthetics" of a certificate accomplish when browsers no longer support it?

Listen to our conversation here.